Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Businesses that are cloud-focused tend to run the most secure software, while the healthcare sector is struggling the most when it comes to accomplishing the same goal, according to the BSIMM8 Report.

Companies pushing the cloud envelope are most likely to run safer cleaner code. On the flip side, as the healthcare industry embraces an increasingly software-driven business model, it is struggling to keep up with its peers when it comes to software security.

Those are some of the takeaways from participants in this year’s eighth annual Building Security in Maturity Model (BSSIMM8) report released today.

The annual report, which included data collected from 109 firms, serves as the software industry’s state of the union on trends impacting software security and the software development community.

“Why are cloud companies disproportionately doing a better job? In the cloud environment ‘write once and run everywhere’ isn’t just a slogan. It’s their business model and they have to have secure software,” said Gary McGraw, vice president for security technology at Synopsys, who helped author the report. “These companies are far and away more advanced than other companies when it comes to our records and data.”

The BSIMM8 report also revealed a groundswell of mature companies getting on board with beefing-up their software security practices for the first time. McGraw said software security is increasingly becoming a priority to many more well established companies.

“It wasn’t long ago that I could count on one hand the number of established companies that were part of the BSIMM and that were taking software reliability and security seriously,” McGraw said. “This is the first year we are seeing a lot of mature companies—not enlightened startups—focusing on building better software from the ground up.”

As with a trend that began last year, BSIMM8 revealed more verticals are developing cloud software using CIDC (continuous integration and continuous development) and adopting agile software development, an iterative and incremental software development methodology that emphasizes quality over quantity.

The report also highlights challenges. McGraw said that of all the commonalities shared between sectors, businesses are still grappling with seeing the bigger picture when it comes to software architecture and design.

“There are two kinds of software defects you can look for. There are bugs in the code. The other kind is flaws in the design,” McGraw said. Too often developers forget that software is part of a distributed system such as controlling the traffic between client and server or making sure code doesn’t run on untrusted devices.

“It’s about getting the design right from the start,” McGraw said using a house a a metaphor. “The bricks that you build a house with don’t just make a wall. They hold the house up and we need each brick to be solid and not be prone to termites.”

“In the past we were counting on firewalls to fix our broken stuff. As you know that’s a very silly way to do it. The only alternative is to get software right and make sure you are exercising software due diligence when it comes to security,” he said.

Discussion

Extending this around the SDLC in the cloud - on-prem simply cannot compete with the pace of tools and innovation happening in cloud so security is moving to the "left" much faster for saas than on-premise.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.